Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ground Controller Lvl 1
Message 1 of 4

What is the best way to acquire AuditLog in organization?

Although there is description as "Advanced auditing" at github.com Enterprise, can we get all Audit logs in Organization?
Is it more detailed than the AuditLog on the management console?
What is the best way to acquire AuditLog in organization?
API?
webhook for all event?
download csv by management console?

3 Replies
Ground Controller Lvl 1
Message 2 of 4

Re: What is the best way to acquire AuditLog in organization?

This is also something we could use too.  Can we have access to the AuditLog from the API please?

GitHub Staff
Message 3 of 4

Re: What is the best way to acquire AuditLog in organization?

There are a few options for accessing this data which may be consumed singularly or in parallel. Our telemetry features include: the audit log api, audit log UI, audit log data export and multi-level web hooks at the enterprise, organization and repo level. I have provided documentation and further detail for each of the options below.
 
  • The audit log allows administrators to quickly review the actions performed by members of your enterprise organizations. It includes details such as who performed the action, what the action was, and when it was performed. If you are not using the Audit Log UI built into the GitHub Enterprise admin interface, we have this help article that will describe how to programmatically query events that occurred in your GitHub Enterprise Cloud instance based on the organization, repository, user, action performed, time of action and location. You can query these specific log events directly from our Audit Log API using GraphQL. 
  • Webhooks allow you to build or set up integrations, such as GitHub Apps or OAuth Apps, which subscribe to certain events on GitHub Enterprise cloud. When one of those events is triggered, we'll send a HTTP POST payload to the webhook's configured URL. Webhooks can be triggered whenever a variety of actions are performed on an enterprise, organization or repository. For example, you can configure a webhook to execute whenever: a repository is pushed to, a pull request is opened, a GitHub Pages site is built or a new member is added to a team. Webhooks can be installed on an enterprise, organization or a specific repository.
 
Both the audit log API and web hooks can be leveraged to integrate into modern reporting tools such as logstash. The data received can then be indexed by elasticsearch and analyzed through your kibana or data visualization dashboard. In some cases it may be necessary to write a simple script that bridges our reporting services with your reporting tools.

 

Try this Audit Log API GraphQL query to retrieve the last 100 audit log events on your organization. 

POST: https://api.github.com/graphql

 

query {
    organization(login:"<org_name>") {
      auditLog(last:100){
        edges{
          node{
            ... on AuditEntry {
              action
              actorLogin
              createdAt
            }
          }  
        }
      }
    }
}

 

Copilot Lvl 3
Message 4 of 4

Re: What is the best way to acquire AuditLog in organization?

I've started experimenting with the audit log GraphQL querying features in our Enterprise Cloud orgs; however, we still have a few orgs, such as some free open source team accounts, that are not on that product.

 

In that scenario, it seems like there are still a few gaps - for example, installing or configuring GitHub Apps and OAuth apps do not seem to send any organization events, and changing team members to maintainers, or vica-versa, do not have events triggered, either.

 

Is it possible that the org-level web hooks might eventually include new events to help with these gaps in the collect-the-events-yourself approach?